Back to Verisign Labs Tools
Domain Name: Detail: more(+) / less(-) Time: 2023-10-02 22:05:54 UTC, NTP stratum 4

Analyzing DNSSEC problems for bogus.d2a1n1.rootcanary.net

.
Found 3 DNSKEY records for .
DS=20326/SHA-256 verifies DNSKEY=20326/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=20326 and DNSKEY=20326/SEP verifies the DNSKEY RRset
net
Found 1 DS records for net in the . zone
DS=35886/SHA-256 has algorithm RSASHA256
Found 1 RRSIGs over DS RRset
RRSIG=46780 and DNSKEY=46780 verifies the DS RRset
Found 2 DNSKEY records for net
DS=35886/SHA-256 verifies DNSKEY=35886/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=35886 and DNSKEY=35886/SEP verifies the DNSKEY RRset
rootcanary.net
Found 1 DS records for rootcanary.net in the net zone
DS=64786/SHA-256 has algorithm RSASHA256
Found 1 RRSIGs over DS RRset
RRSIG=39455 and DNSKEY=39455 verifies the DS RRset
Found 2 DNSKEY records for rootcanary.net
DS=64786/SHA-256 verifies DNSKEY=64786/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=64786 and DNSKEY=64786/SEP verifies the DNSKEY RRset
ns2.surfnet.nl is authoritative for bogus.d2a1n1.rootcanary.net
d2a1n1.rootcanary.net
Found 1 DS records for d2a1n1.rootcanary.net in the rootcanary.net zone
DS=11102/SHA-256 has algorithm RSAMD5
Found 1 RRSIGs over DS RRset
RRSIG=25188 and DNSKEY=25188 verifies the DS RRset
Found 1 DNSKEY records for d2a1n1.rootcanary.net
DS=11102/SHA-256 verifies DNSKEY=11102/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=11102 and DNSKEY=11102/SEP verifies the DNSKEY RRset
sec2.rcode0.net is authoritative for bogus.d2a1n1.rootcanary.net
bogus.d2a1n1.rootcanary.net A RR has value 145.97.20.20
Found 1 RRSIGs over A RRset
RRSIG=11102 and DNSKEY=11102/SEP does not verify the A RRset (signature verification failed)
None of the 1 RRSIG and 1 DNSKEY records validate the A RRset
The A RRset was not signed by any trusted keys
d2a1n1.rootcanary.net
sec1.rcode0.net is authoritative for bogus.d2a1n1.rootcanary.net
bogus.d2a1n1.rootcanary.net A RR has value 145.97.20.20
Found 1 RRSIGs over A RRset
RRSIG=11102 and DNSKEY=11102/SEP does not verify the A RRset (signature verification failed)
None of the 1 RRSIG and 1 DNSKEY records validate the A RRset

Move your mouse over any or symbols for remediation hints.

Want a second opinion? Test bogus.d2a1n1.rootcanary.net at dnsviz.net.

DNSSEC Analyzer

↓ Advanced options